Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 7 Next »

This page outlines the steps to enable AWS Integration with Zilla. We will be using the Delegate access across AWS accounts using IAM roles tutorial as a guide to allow you to delegate access of your AWS account to Zilla’s AWS account using AWS IAM Roles.

Bring in IAM Users and Groups into Zilla

To bring in IAM Users and Groups of an AWS Account, you need to create an IAM Role and attach an IAM Policy to it.

Create an IAM Policy for IAM Users and Groups

Steps to create an IAM Policy

  1. Login to the AWS Account via the AWS Management Console

    Enter your 12-digit account number. Click Next and then enter your username and password to login.

  2. Once you are logged in, you will land on the home page with a search bar at the top.

     

  3. In the search bar, search for IAM and click on the search result called IAM.

     

  4. You will be redirected to the IAM dashboard.

     

  5. Before creating a role, we will first create a policy that will be assigned to the role. Click Policies on the left hand side menu.

     

  6. Search for Security Audit policy

  7. IAM Policy Creation: Enter the following json snippet and click Next Tags. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID. The following policy allows Zilla to read the IAM Users and Groups information from your AWS account

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:GetGroup",
            "Resource": "arn:aws:iam::<YOUR_AWS_ACCOUNt_ID>:group/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:GetAccountAuthorizationDetails",
            "Resource": "*"
        }
    ]
}

     

     

  8. Optionally add tags and click Next: Review.

  9. Review Policy: On the review page, enter the Name (Zilla-IAM-Reader-Policy) and optionally a description for the policy. Review the permissions assigned to the policy and then click Create policy The policy will look like this:

     

  10. You will see a success message that the policy has been created.

     

  11. To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.

     

  12. Click on the policy Zilla-IAM-Reader-Policy to double check the assigned permissions. The policy will look like this:

    Click on the {} JSON tab to double check the policy json. (Account ID redacted from screenshot)

     

Now that you have created the policy, the next step is to create a cross account Role.

Create an IAM Role for IAM Users and Groups

Steps to create an IAM Role

  1. Click on Roles from the left hand side menu to begin then click Create role button to create a new IAM Role.

     

  2. Under Select type of trusted entity select Another AWS account and enter the 12 digit Account ID of Zilla (087210011007). Click Next: Permissions.

     

  3. On the permissions page, search for the policy created ,Zilla-IAM-Reader-Policy , and select the checkbox. Click Next: Tags.

     

  4. Optionally add tags and click Next: Review.

     

  5. On the review page, add the name of the role Zilla-IAM-Reader-Role and optionally add a description. Review the trusted entity account id matches Zilla’s account Id (087210011007) and that the Policies section contains Zilla-IAM-Reader-Policy. Click Create role.

     

  6. Once the role is created, you can search for it on the roles tab and click on the role to check its details.

     

  7. On the role details page, double check the policy under Permissions and Trusted entities has Zilla Account ID (087210011007) under Trust relationships.

     

Notes:

  1. Copy the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role and keep it handy for later.

  2. Typically IAM Users and Groups are created against each AWS Account, so you will need to create the above role and policy for each of your AWS Accounts.

  3. Currently, the IAM Role and Policy creation to bring in IAM Users and Groups is mandatory in Zilla.

Bring SSO Users, Groups and Permission Sets into Zilla

Create an IAM Policy for SSO Users, Groups and Permission Set

Steps to create an IAM Policy

  1. Click on Policies on the left hand side menu of the IAM Dashboard.

     

  2. Click Create policy and click on the JSON tab.

  3. IAM Policy Creation: Enter the following json snippet and click Next: Tags. The following policy allows Zilla to read the SSO Users, Groups and Permission Sets information from your AWS account

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sso:ListAccountAssignments",
                "sso:ListPermissionSetsProvisionedToAccount",
                "sso:DescribePermissionSet"
            ],
            "Resource": [
                "arn:aws:sso:::instance/*",
                "arn:aws:sso:::permissionSet/*/*",
                "arn:aws:sso:::account/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "identitystore:DescribeUser",
                "identitystore:DescribeGroup"
            ],
            "Resource": "*"
        }
    ]
}

     

     

  4. Optionally add tags and click Next: Review.

  5. Review Policy: On the review page, enter the Name (Zilla-SSO-Reader-Policy) and optionally a description for the policy. Review the permissions assigned to the policy and then click Create policy. The policy will look like this:

     

  6. You will see a success message like this:

     

  7. To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.

     

  8. Click the policy Zilla-SSO-Reader-Policy to double check the assigned permissions. The policy will look like this:

    Click on the {} JSON tab to double check the policy json.

     

Now that you have created the policy, the next step is to create a cross account Role.

Create an IAM Role for SSO Users, Groups and Permission Set

Steps to create an IAM Role

  1. Click Roles from the left hand side menu to begin.

     

  2. Click Create role button to create a new IAM Role. Under Select type of trusted entity select Another AWS account and enter the 12 digit Account ID of Zilla (087210011007) and then click Next: Permissions.

     

  3. On the permissions page, search for the policy created ,Zilla-SSO-Reader-Policy , and select the checkbox. Then click Next: Tags.

     

  4. Optionally add tags and click Next: Review.

     

  5. On the review page, add the name of the role Zilla-SSO-Reader-Role and optionally add a description. Review the trusted entity account id matches Zilla’s account Id (087210011007) and that the Policies section contains Zilla-SSO-Reader-Policy, then click Create role .

     

  6. Once the role is created, you can search for it on the roles tab and click on the role to check its details.

     

  7. On the role details page, double check the policy under Permissions and Trusted entities has Zilla Account ID (087210011007) under Trust relationships.

     

Notes:

  1. Copy the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role and keep it handy for later.

  2. Typically organizations will have one MASTER AWS ACCOUNT under which they will setup multiple Users, Groups, Permission Sets and AWS Accounts. So it’s likely you will need to create the SSO Role and Policy creation only once against your MASTER AWS ACCOUNT.

  3. Currently, the IAM Role and Policy creation to bring in SSO Users, Groups and Permission Sets is optional in Zilla.

 

Things to keep handy

  1. For IAM Users and Groups: Copy the Role ARN. For eg: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role created above.

  2. For SSO Users and Groups:, you need to keep the following things handy:

    1. Copy the SSO Role ARN of your Master AWS Account. For eg: arn:aws:iam::<YOUR_AWS_SSO_MASTER_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role created above

    2. ARN of the SSO Instance

    3. Identity Store Id of the Identity Provider of SSO Instance

    4. 12 digit Account ID of the AWS Instance for which you want to bring in SSO Users and Groups

    5. AWS Region under which AWS SSO is setup

    6. AWS SCIM Endpoint

    7. AWS SCIM Access Token

  3. Here are the instructions to get the above details:

    1. In the search bar at the top, search for AWS SSO and click on the search result called AWS Single Sign-On as shown below.

       

    2. You will land on the AWS SSO dashboard.

       

    3. Click the Settings option on the left menu.

       

    4. Copy the ARN of the SSO Instance and keep it handy. It will look something like this: arn:aws:sso:::instance/ssoins-<SOME_ALPHANUMERIC_ID>.

    5. Also, copy the Identity store ID. It will look something like this: d-<SOME_NUMBERS> .

    6. Next, click the AWS accounts option from the left menu.

       

    7. Copy the 12 digit Account Id of the AWS Account whose Permission sets assignments you want to get.

    8. Copy the region in which the AWS SSO Organization has been created. For eg: us-east-1.

       

    9. Go back to Settings to get the Automatic Provisioning (SCIM) details

      You can only get the SCIM details if Automatic Provisioning is enabled. You can choose to keep Automatic Provisioning disabled or choose to enable at this point. If Automatic Provisioning is disabled, Zilla won’t be able to track the Active Status of a user.

    10. To enable Automatic Provisioning, click Enable automatic provisioning.

      Copy the SCIM Endpoint and keep it handy.

    11. Click Show token and copy the token. Note that this token is available to be copied only once.

Set up AWS Application Integration on Zilla

  1. Login to Zilla at http://app.zillasecurity.com/ .

     

  2. Once you are signed in, you will land on the Applications page.

     

  3. Click Add Application. You will see a library of all applications listed which are supported by Zilla.

     

  4. Type “aws” into the search bar to filter the results.

     

  5. Click on Add to Applications next to the Amazon Web Services entry. You will see a dialog box appear.

    All the fields are optional. Click Add to Applications.

  6. You will be redirected back to the Applications page and you will see the Amazon Web Services entry included in the list.

     

  7. Next, click on the application to configure its integration.

  8. Click the Sync Now link in the top right corner. You will see a dialog box appear.

  9. Click on the toggle button under API Integration to enable the API Integration.

  10. Enter the values you copied from the Things to keep handy section above and click Next.

  11. Click Next again.

     

  12. Your sync will begin. Once it completes, you will see the below message.

     

  13. Click Done . You will then see a message like this if the sync completed successfully.

  14. You can close the message dialog and navigate to the Accounts tab to the IAM Users from your AWS account.

     

  15. Next, click the Permissions tab to browse the Permission assigned to each user.

When you have finished with all the steps above, review the information in Zilla that was synced.

Having trouble? Try our Troubleshooting articles or visit support.zillasecurity.com and submit a ticket. Our support team will assist you in resolving the problem as quickly as possible.

  • No labels